"What is the cyber security threat, and how worried -- if at all -- should we be?"

Opening Statement

THE NATURE OF THE CYBER THREAT

Over the past few weeks, I have received nearly a half-dozen notifications from companies that I do business with saying that my email address, along with possibly some personal information, has been compromised because of "unauthorized intrusions" at a third-party Internet retail marketing provider called Epsilon. Each company profoundly apologized for the "inconvenience" this breach in cyber security may have caused me, warned me to beware of possible phishing emails flooding my inbox, and promised that they will be working hard to ensure that such an occurrence won't ever happen again.

I hardly feel reassured by their promises.

For scarcely a week goes by without some major cyber security event. In the first four months of 2011 alone, not only have millions of email addresses been compromised by the Epsilon security breach, but over 100 million Sony Playstation accounts have also been placed at risk by a hacking attack. In Texas, the state comptroller informed 3.5 million former and current state workers that their names, addresses, and Social Security numbers were left accessible on a public server for at least a year by mistake. In South Korea, the police have arrested two persons and are still seeking several others who broke into Hyundai Capital's financial systems, stole the personal and financial details from 420,000 customer accounts, and then tried to blackmail the company into giving them US $460,000 to ensure the stolen information was not released. The state of Oklahoma also reported that a laptop containing the medical records of 133,000 patients was stolen from a government employee's car, while the MidState Medical Center in Meriden, Connecticut, revealed that a computer hard drive containing 93,500 patient records had been "misplaced."

Nor are security vendors immune. There has been a partially successful cyber attack on the two-factor authentication security product called SecurID by RSA, which is used by 30,000 organizations and 40 million people around the world. If the attack had been fully successful, banking systems around the world could have been compromised. Another security company, Comodo, discovered that a hacker was able to attain from it nine bogus Internet Secure Socket Layer (SSL) certificates to some of the world's largest websites, including Google, Microsoft, Yahoo!, Skype, and Mozilla. The company was able to revoke the certificates within hours of their issuance, but if it had not, the hacker could have used these certificates to impersonate the login pages of these sites and steal user names and passwords.

There has also been a reported increase in the number of cyber attacks against country infrastructure systems like electric grids in the past year. Nearly 80% of electric power executives in 14 countries surveyed by the security company McAfee and the Center for Strategic and International Studies have had a large-scale denial-of-service attack directed against their operations in the recent past. Some 40% of the executives further believe that their organizations will face a major cyber attack before the end of 2012.¹

CYBER ATTACKS AGAINST GOVERNMENTS

In addition to cyber attacks on commercial organizations, since the beginning of the year unknown cyber intruders have been able to penetrate sensitive government IT systems in the US, Canada, France, and Australia. In the last case, the intruders were able to access the personal email accounts of several senior Australian government officials, including possibly the prime minister's. In each of these cases, it is suspected that unfriendly governments instigated the attacks. The US Department of Defense says that more than 100 foreign intelligence organizations routinely try to break into US military digital networks, and admits that, in 2007, one succeeded.²

In Iran in 2009 and 2010, cyber attacks using a sophisticated computer worm called Stuxnet successfully targeted the Siemens IT supervisory control and data acquisition (SCADA) systems that controlled the nuclear centrifuges used to enrich uranium in that country's nuclear facilities. Stuxnet reportedly caused damage to hundreds of centrifuges and set back Iran's nuclear power program by up to two years. Iran, which has blamed Stuxnet attack on the US and Israel, admitted recently that Stuxnet continues to cause security concerns even today.³

In testimony before the US House Select Committee on Intelligence in February 2011, Director of National Intelligence James Clapper said the cyber threat has reached the point that "its impact is difficult to overstate. Industry estimates the production of malicious software has reached its highest level yet, with an average of 60,000 new programs or variations identified each day."⁴ US President Barack Obama has said the cyber security threat is "one of the most serious economic and national security challenges we face as a nation" and that, if left unchecked, it could severely threaten US prosperity.⁵ As a result of the perceived threat, the US government is currently spending some $8.7 billion on cyber security activities and is projected to spend $12-$14 billion by 2015.⁶

The US is not alone in seeing cyber security as a national threat. The UK government, for instance, has made cyber security its highest national priority. It has allocated £650 million to increase its cyber security capabilities this year, with rises in spending projected for several years to come.⁷ Other countries have similarly increased their cyber security funding.

CYBER THREAT? WHAT THREAT?

Yet among all the talk of what would seem to be an imminent cyber Armageddon, there are voices questioning whether the cyber security threat is being deliberately overhyped. Even the US administration is sending mixed signals about the seriousness of the cyber security threat it has been touting. Soon after Clapper's February testimony, White House Cybersecurity Coordinator Howard Schmidt tried to deflate Clapper's message by claiming that cyber security events are being oversensationalized and should be seen as "just the risk of doing business."⁸

Schmidt is not alone. His viewpoint is supported by Peter Sommer and Ian Brown, authors of a report for the Organisation for Economic Co-operation and Development (OECD) entitled Reducing Systemic Cybersecurity Risk.⁹ In the report, Sommer and Brown state, "It is unlikely that there will ever be a true cyber war" and that there is only a very remote possibility that a cyber attack would ever cause the same level of destruction as, say, a hurricane or pandemic. Then there are others who contend that security companies and consultants have overstated the cyber security threat in order to gain financially. Researchers Jerry Brito and Tate Watkins of the Mercatus Center at George Mason University argue that there is a lack of clear evidence of a cyber war threat and that the constant drumbeat of "cyber doom" is more likely a case of "threat inflation" by an emerging cyber-industrial complex that has eerie parallels to the military-industrial complex. "This complex," they write, "may serve to not only supply cybersecurity solutions to the federal government, but to drum up demand for them as well."¹⁰

MAKING SOME SENSE OF IT ALL

So what is the cyber security threat, and how worried -- if at all -- should we be? That is the question this issue of Cutter IT Journal delves into. We have six articles by leading cyber security experts who provide some needed clarity to the current debates.

We begin with Larry Constantine, who looks at the aforementioned Stuxnet computer worm, which he says represents a "next-generation" cyber security threat. He reviews the essential elements of Stuxnet and its attack vector so that we can learn from the experience. As Constantine notes, companies with high-value physical assets that are in turn controlled by digital systems must be aware that Stuxnet has changed the cyber security environment into a much more dangerous one.

Our second article is by Shari Lawrence Pfleeger, who examines the cyber security threat from a policy-making perspective. She discusses the three challenges involved in the continued building and use of our global cyber infrastructure: the diverse and distributed ownership of the infrastructure, cyber's appeal as a criminal tool, and the difficulty in quickly identifying and reacting to unexpected disruptions to the cyber infrastructure. Pfleeger examines the critical issues that can undermine cyber infrastructure security and suggests some governmental and corporate policies that can contribute to more secure operation of the cyber infrastructure.

Next, Jeffrey Ingalsbe, Dan Shoemaker, Nancy Mead, and Wesley Meier look at how the current focus on fighting cyber crime has made it harder to fend off more consequential cyber threats, specifically a cyber war. They contend that the future cyber world of cloud computing, mobile computing, and ubiquitous computing will only make mitigating the risks of a cyber war more difficult unless there is a change in the current cyber crime focus. The authors carefully compare and contrast the concepts of cyber crime and cyber war and provide recommendations for organizations to prepare for a cyber conflict.

The cyber security risks of cloud computing are the specific focus of our next author, Frank Coyle. Corporations and governments view cloud computing as a way to reduce operational computing costs and increase cyber security, but as Coyle notes, cloud computing brings along its own set of risks. He discusses the pros and cons of cloud computing from a security perspective, as well as which cyber security risks should receive closer scrutiny.

Our next author, Larry Clinton, offers a theory of Internet security through the use of what he calls "The Seven Syllogisms of Cyber Security." Clinton suggests that we can use these syllogisms to chart a path toward a comprehensive and sustainable system of cyber security that embraces operational, economic, and policy factors. By following this logic-defined path, Clinton contends that specific policy directions for enhancing cyber security can be formulated.

In our final article, Esti Peshin examines how social media has changed the way people communicate with one another. Instead of person-to-person(s) interaction, individuals now interact with large groups of people simultaneously. However, the current policies and laws by which law enforcement and government security services operate were not designed to take into account social media, which makes legitimate and lawful monitoring of these communications (e.g., when they involve cyber criminals or cyber terrorists) difficult if not impossible. Peshin discusses how the rules for monitoring such communications need to change -- a change that many will find highly controversial -- to eliminate what is effectively a cyber haven for those who wish to do harm.

I think you will agree that the articles in this issue provide a number of fresh and interesting perspectives on the cyber security debate -- without the hyperbole. I trust you will enjoy them.

ENDNOTES

¹ Baker, Stewart, Natalia Filipiak, and Katrina Timlin. In the Dark: Crucial Industries Confront Cyberattacks. McAfee, Inc., 2011.

² Lynn, William J., III. "Defending a New Domain: The Pentagon's Cyberstrategy." Foreign Affairs, Vol. 89, No. 5, September/October 2010, pp. 97-108.

³ Erdbrink, Thomas, and Joby Warrick. "Iran: Country Under Attack by Second Computer Virus." The Washington Post, 25 April 2011.

⁴ Clapper, James R., Director of National Intelligence. Testimony before the US House Permanent Select Committee on Intelligence, 112th Congress, 10 February 2011.

⁵ "The Comprehensive National Cybersecurity Initiative." The White House, Executive Office of the President, 29 May 2009.

⁶ Reeder, Kara. "Government Cyber Security Spending to Reach $13.3 Billion in 2015." Network Security Edge, 2 December 2010.

⁷ Doyle, Eric. "Cameron Pledges £650m to Cyber Defence Strategy." eWeek Europe, 20 October 2010.

⁸ Smith, Josh. "White House Official: Cyber Attacks Are Risk of Doing Business." National Journal, 27 April 2011.

⁹ Sommer, Peter, and Ian Brown. Reducing Systemic Cybersecurity Risk. Organisation for Economic Co-operation and Development (OECD), 14 January 2011.

¹⁰ Brito, Jerry, and Tate Watkins. "Loving the Cyber Bomb? The Dangers of Threat Inflation in Cybersecurity Policy." Mercatus Center, George Mason University, 26 April 2011.

ABOUT THE AUTHOR